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Executive  Summary 


One  goal  of  the  Networked  Systems  Survivability  Program  of  the  Software  Engineering  Insti¬ 
tute  (SEI)  is  to  transition  information  assurance  courseware,  materials,  and  a  curriculum  on 
survivability  and  information  assurance  to  various  departments  at  institutions  of  higher  edu¬ 
cation  in  the  United  States,  with  a  particular  focus  on  selected  minority-serving  institutions. 
To  accomplish  this,  the  SEI  utilizes  partnerships  that  leverage  the  strengths  of  the  SEI  and  the 
strengths  of  its  partner  educational  institutions.  The  SEI  builds  upon  the  partners’  existing 
trusted  relationships  and  infrastructure,  rather  than  building  a  new  infrastructure.  This  part¬ 
nership  approach  sustains  the  incorporation  of  new  and  evolving  materials  by  the  partners, 
and  is  more  cost-effective  for  all  parties.  The  SEI  seeks  to  strengthen  the  information  assur¬ 
ance  capacity  of  these  “hub”  educational  partner  institutions,  which  are  capable  of  then  refin¬ 
ing  and  (in  the  future)  transitioning  educational  materials  and  courses  to  other  educational 
institutions  in  their  region  (termed  an  Information  Assurance  Regional  Collaborative  Clus¬ 
ter).  This  second-level  transition  helps  to  increase  the  educational  capacity  in  information 
assurance  in  the  United  States. 

Since  2004,  the  SEI  has  established  three  Regional  Collaborative  Clusters  (RCCs)  and  their 
associated  hub  educational  transition  partners  across  the  U.S.  A  key  component  of  each 
RCC — and  the  event  that  launches  it — is  the  Annual  Regional  Information  Assurance  Sym¬ 
posia  co-hosted  by  the  SEI  and  that  region’s  hub  educational  transition  partner.  In  the  initial 
14-month  period  (February  2004-April  2005),  the  prototype  RCC,  the  Mid-Atlantic  RCC,  has 
held  two  successful  annual  symposia  and  a  third  symposium  is  scheduled.  Two  RCCs  whose 
hub  educational  transition  partners  are  California  State  Polytechnic  University,  Pomona  (Cal 
Poly  Pomona)  and  neighboring  Mt.  San  Antonio  College  (Mt.  SAC),  and  Texas  A&M,  Cor¬ 
pus  Christi  (TAMU-CC),  have  each  held  a  successful  initial  annual  symposia,  and  their  sec¬ 
ond  symposia  are  scheduled.  This  initial  report  on  these  annual  regional  symposia  describes 
the  RCC  concept,  the  SEI  approach,  and  the  results  to  date. 
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Abstract 


The  Networked  Systems  Survivability  Program  at  the  Carnegie  Mellon  Software  Engineering 
Institute  (SEI)  seeks  to  transition  information  assurance  and  information  security  courseware 
to  institutions  of  higher  education  within  the  United  States,  with  a  particular  focus  on  minor¬ 
ity-serving  institutions.  Rather  than  build  an  infrastructure  to  accomplish  this,  the  SEI  utilizes 
partnerships,  through  Regional  Collaborative  Clusters,  that  leverage  the  strengths  of  the  SEI 
and  the  strengths  of  the  partner  educational  institutions.  The  SEI  builds  upon  the  partner’s 
existing  trusted  relationships  and  infrastructure,  creating  an  environment  that  sustains  the  in¬ 
corporation  of  new  and  evolving  materials,  and  is  more  cost-effective  for  all  parties.  The  an¬ 
nual  Regional  Information  Assurance  Symposia  are  a  key  transition  component  of  the  Re¬ 
gional  Collaborative  Clusters. 
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1  Introduction 


1.1  SEI  Software  Engineering  Education  Program 

From  the  inception  of  the  Carnegie  Mellon  Software  Engineering  Institute1  (SEI)  until  1995, 
the  SEI’s  Education  Program  defined  master’s  and  undergraduate  software  engineering  cur¬ 
ricula,  created  materials  and  courses  in  those  areas,  and  transitioned  them  to  the  academic 
and  continuing  education  communities.  As  a  member  of  the  SEI’s  Education  Program,  transi¬ 
tioning  software  engineering  materials  and  courses  to  the  academic  community,  the  author 
found  that  it  was  not  difficult  to  extract  what  worked  well  and  what  barriers  to  transition  ex¬ 
isted  under  that  Education  Program  model. 

Successful  transition  meant  that  an  educational  institution  had  the  capacity  to  initially  incor¬ 
porate  those  software  engineering  materials  and  courseware,  as  appropriate,  into  its  own 
courses  and  curricula  and,  over  time,  could  continue  to  refine  and  expand  the  materials  and 
courseware  to  better  reflect  its  educational  interests  and  strengths,  while  also  incorporating 
changing  technology.  In  other  words,  the  SEI’s  materials  and  courseware  provided  a  “jump- 
start,”  enabling  the  institution  to  more  quickly  incorporate  and  offer  software  engineering 
subjects. 

While  materials  and  courseware  might  be  shared  among  faculty  at  a  particular  institution, 
unless  a  faculty  member  moved  to  a  different  institution  and  used  derivative  materials,  the 
transition  was  basically  1:1,  from  the  SEI  to  the  original  institution,  and  on  a  course-by¬ 
course  basis.  An  annual  Conference  on  Software  Engineering  Education  provided  opportuni¬ 
ties  for  faculty  to  present  new  or  adapted  materials,  but  the  sustained  transition  of  applicable 
new  materials  and  the  ability  of  faculty  to  attend  a  second  conference  (the  first  conference 
being  one  in  their  primary  field  of  interest)  proved  limited. 

Given  that  experience,  a  new  model  was  constructed:  a  partnership  that  leverages  the 
strengths  of  the  SEI  and  the  strengths  of  the  partner  educational  institutions,  and  that  builds 
upon  existing  trusted  relationships  and  infrastructure  to  reach  a  far  larger  set  of  educational 
institutions  than  could  be  achieved  by  the  old  model.  This  sustains  the  incorporation  of  new 
and  evolving  materials.  Leveraging  other  complementary  programs,  events,  and  organiza¬ 
tions  broadens  the  offering  and  makes  it  more  cost  effective  to  all  parties  involved.  Central  to 
the  new  model  is  the  concept  of  the  Regional  Collaborative  Cluster. 


1  The  SEI  is  a  federally  funded  research  and  development  center  sponsored  by  the  U.S.  Department 
of  Defense  and  operated  by  Carnegie  Mellon  University. 


CMU/SEI-2005-SR-007 


1 


1.2  Regional  Collaborative  Clusters 

A  Regional  Collaborative  Cluster  (RCC)  is  a  collection  of  educational  institutions  in  a  par¬ 
ticular  geographic  region  that  at  some  level 

•  share  a  common  vision  and  target  student  population 

•  have  cooperated  in  the  past,  or  can  reasonably  be  expected  to  cooperate 

•  have  a  desire  to  incorporate  or  expand  their  information  assurance  content 

•  are  within  a  day’s  drive  (preferably  less)  of  one  another 

1.2.1  Hub  Educational  Transition  Partners 

At  the  heart  of  the  Regional  Collaborative  Cluster  is  the  hub  educational  transition  partner. 
Qualities  of  a  successful  hub  educational  transition  partner  include 

•  the  capacity  to  understand,  adapt,  refine,  and  incorporate  information  assurance  materials 
and  courseware  into  existing  courses  and  curricula 

•  support  by  the  educational  institution  to  accomplish  the  above 

•  active  leadership  and  commitment  by  a  faculty  member  who  is  respected  by  the  commu¬ 
nity 

•  the  existence  of  trusted  relationships  with  other  computer  science,  information  science, 
(computer)  information  systems,  or  software  engineering  departments  in  the  immediate 
geographical  region  and  beyond 

•  a  commitment  to  advance  the  state  of  information  assurance  education  in  the  region 
through  the  sharing  of  materials  and  courseware,  the  facilitation  of  workshops  and  sym¬ 
posia,  and  other  means 

•  the  ability  to  leverage  other  complementary  relationships  and  activities 

•  a  relatively  central  location  with  respect  to  the  other  educational  institutions  in  the  region 
to  reduce  travel  time  to  workshops,  symposia,  and  other  events 

1 .2.2  Operation 

The  SEI  Education  Program  model,  of  necessity,  needed  to  transition  on  a  1: 1  basis  to  define 
and  then  nurture  the  establishment  of  Master’s  in  Software  Engineering  programs  (its  stated 
goal.)  It  did  not  create  an  infrastructure  that  would  encourage  and  empower  the  schools  that 
taught  those  programs  to  transition  and  sustain  the  teaching  of  software  engineering  topics 
and  courses  in  other  educational  institutions.  Creating  and  sustaining  such  an  infrastructure 
from  scratch  is  problematic  at  best. 

The  new  model  leverages  existing,  trusted  working  relationships  of  the  hub  educational  tran¬ 
sition  partner  with  other  computer  science  and  information  science  departments  (or  computer 
information  systems  departments/software  engineering  departments,  or  similar  departments) 
to  help  create  an  infrastructure  (the  Regional  Collaborative  Cluster)  capable  of  transitioning 
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information  assurance  (LA.)  concepts,  materials,  and  courseware  through  workshops,  sympo¬ 
sia,  and  other  means  to  additional  educational  institutions  to  increase  the  IA  educational  ca¬ 
pacity  in  that  region. 

The  SEI  provides  the  hub  educational  transition  partner  with  IA  materials  and  courseware, 
speakers  for  a  kick-off  regional  IA  symposium,  other  SEI  materials  and  courseware  (as  ap¬ 
propriate),  entrees  into  other  Carnegie  Mellon  University  outreach  programs,  and  other  bene¬ 
fits.  Over  time,  the  hub  educational  transition  partner  adapts,  refines,  and  incorporates  addi¬ 
tional  IA  materials  and  courseware  as  appropriate  to  its  particular  environment  and 
curriculum  and  also  shares  the  adapted,  enhanced,  or  new  materials,  courseware,  and  experi¬ 
ence  with  other  educational  institutions.  The  hub  educational  transition  partner  also  sponsors 
and  solicits  attendees  for  the  kick-off  IA  symposium  (again  leveraging  its  existing  relation¬ 
ships)  and  hosts  other  related  workshops. 

The  partnership  between  the  SEI  and  the  hub  educational  institution,  and  through  its  efforts, 
the  Regional  Collaborative  Cluster,  is  ongoing:  this  better  sustains  and  enhances  the  IA  edu¬ 
cational  capacity  in  that  region.  The  goal  is  to  create  a  self-sustaining  cluster  of  colleges  and 
universities  that  continue  to  create,  enhance,  and  adapt  materials  to  their  particular  curricula, 
and  to  share  those  materials  with  faculty  at  those  educational  institutions. 

Whenever  possible,  both  the  hub  educational  transition  partner  and  the  SEI  seek  to  leverage 
other  complementary  programs  and  efforts  (such  as  the  Camegie  Mellon  University  Informa¬ 
tion  Assurance  Capacity  Building  Program).  The  purpose  is  not  to  compete  with  other  oppor¬ 
tunities  to  enhance  and  improve  educational  IA  capacity,  but  to  build  upon  them. 

1 .3  Information  Assurance  Capacity  Building 
Program 

Since  2002,  Camegie  Mellon  University  has  offered  a  month-long  Information  Assurance 
Capacity  Building  Program  (LACBP)  during  the  summer.  The  primary  IACBP  educational 
faculty  are  from  the  Software  Engineering  Institute,  in  particular  from  the  Networked  Sys¬ 
tems  Survivability  Program,  which  includes  the  CERT®  Coordination  Center.2 

The  NSF-funded  IACBP  at  Camegie  Mellon  primarily  targets  faculty  in  computer  and  infor¬ 
mation  science,  computer  information  systems,  or  similar  departments  at  minority-serving 
institutions  (MSIs).  Due  to  the  structure  of  the  program,  participation  is  limited  to  approxi¬ 
mately  seven  educational  institutions  and  approximately  nine  total  faculty. 

Minority-serving  institutions  encompass  Historically  Underrepresented  Colleges  and  Univer¬ 
sities  (HUCUs)3,  Hispanic  Serving  Institutions  (HSIs),  and  Tribal  Colleges.  To  date  only  the 


2  CERT  and  CERT  Coordination  Center  are  registered  in  the  U.S.  Patent  and  Trademark  Office  by 
Camegie  Mellon  University. 

3  Formerly  Historically  Black  Colleges  and  Universities  (HBCUs) 
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first  two  categories  of  MSIs  have  been  represented  in  the  first  four  years  of  Carnegie  Mel¬ 
lon’s  information  assurance  capacity  building  program.  The  author  of  this  report  selects  the 
candidate  educational  institutions  and  the  faculty  for  this  program  (together  with  the  Man¬ 
ager,  Diversity  Outreach  Programs  at  the  SEI)  and  has  led  the  course  and  curriculum  devel¬ 
opment  portion  for  three  of  the  four  years  of  the  program.  This  provides  the  author  with  addi¬ 
tional  opportunities  for  transition  of  IA  materials  developed  at  the  SEI  and  further 
opportunities  for  leverage. 

Although  opportunities  exist  to  discuss  research  during  the  month-long  capacity  building  pro¬ 
gram,  the  primary  focus  is  on  increasing  the  educational  capacity  with  respect  to  IA  at  the 
participating  educational  institutions.  One  of  the  requirements  during  the  program  is  to  de¬ 
scribe  how  a  faculty  member  will  inject  comments,  materials,  topics,  lectures,  modules,  or 
courses  relating  to  information  assurance  into  his  or  her  existing  courses  or  curriculum,  both 
in  the  coming  year  and  beyond.  This  is  accomplished  during  the  course  and  curriculum  de¬ 
velopment  portion  during  the  third  week  of  the  program,  which  culminates  with  presentations 
by  the  faculty  describing  how  they  plan  to  incorporate  IA  into  their  existing  courses  and  cur¬ 
ricula. 

Having  the  faculty  in  Pittsburgh  in  close  proximity  to  the  SEI  for  four  weeks  provides  oppor¬ 
tunities  for  after-hours  presentations  and  discussions  with  staff  at  the  SEI.  Additionally,  the 
Networked  Systems  Survivability  Program  of  the  SEI  provides  each  faculty  member  the  op¬ 
portunity  to  receive  a  copy  of  the  CERT  Training  and  Education  course  Information  Security 
for  Technical  Staff  (ISTS)  (for  self-study  or  academic  use  purposes).  This  is  in  addition  to  the 
course  materials  received  by  the  faculty  as  part  of  the  NSF-funded  capacity  building  program 
(including  a  text  by  Ross  Anderson  [Anderson  2001]).  As  in  the  older  software  engineering 
education  model,  these  materials  and  courseware  provide  a  “jumpstart,”  enabling  the  aca¬ 
demic  institution  to  more  quickly  incorporate  and  offer  (additional)  information  assur¬ 
ance/security  topics. 

A  series  of  after-hours  discussions  between  the  SEI  and  Robert  A.  Willis,  Jr.,  Chairman  of  the 
Department  of  Computer  Science  at  Hampton  University,  during  the  2003  IACBP  defined 
how  to  leverage  the  strengths  of  both  organizations  with  the  goal  of  promoting  the  inclusion 
of  information  assurance/information  security  topics  and  courses  in  the  curricula  of  HUCUs 
in  Hampton’s  region.  Hampton  University  would  be  the  prototype  for  the  hub  educational 
transition  partner  and  its  associated  Regional  Collaborative  Cluster. 

After  the  2003  IACBP,  the  SEI  and  Hampton  University  continued  to  work  together  to  define 
the  Mid-Atlantic  Regional  Collaborative  Cluster  and  plan  the  kick-off  IA  symposium.  The 
regional  extent  of  the  RCC  was  based  on  Hampton  University’s  and  Willis’s  existing  rela¬ 
tionships  with  computer  science  and  information  science  departments  in  HUCUs  within  a 
half-day’s  drive  of  Hampton.  The  Mid-Atlantic  Regional  Collaborative  Cluster  encompasses 
18  HUCUs  in  four  states  and  the  District  of  Columbia  (see  Appendix). 

The  IACBP  at  Carnegie  Mellon  is  one  means  to  build  or  enhance  the  capacity  of  an  academic 
institution  to  incorporate  information  assurance  topics  and  courses  into  its  curriculum,  but  of 
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necessity,  it  reaches  a  limited  number  of  faculty  and  educational  institutions.  However,  the 
results  of  the  IACBP  can  be  leveraged  and  transitioned  to  other  faculty  if  some  of  the  faculty 
who  attend  the  IACBP  and  the  institutions  they  represent  meet  the  faculty  leadership  and  in¬ 
stitutional  characterizations  and  commitments  of  the  hub  educational  transition  partners  of  a 
Regional  Collaborative  Cluster.  Also,  through  the  IA  symposia  offered  in  the  RCCs,  informa¬ 
tion  about  the  IACBP,  among  other  programs  and  opportunities,  can  be  shared  with  the  par¬ 
ticipants. 
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2  Kick-Off  Symposia:  Participants  and 
Topics 


Since  2004,  the  SEI  has  established  three  Regional  Collaborative  Clusters  (RCCs)  and  their 
associated  hub  educational  transition  partners  across  the  U.S.: 

•  Mid-Atlantic  Regional  Collaborative  Cluster  (Hampton  University,  Hampton,  VA) 

•  Southern  California  Regional  Collaborative  Cluster  (California  State  Polytechnic  Univer¬ 
sity,  Pomona  [Cal  Poly  Pomona],  Pomona,  CA,  and  neighboring  Mt.  San  Antonio  Col¬ 
lege  [Mt.  SAC],  Walnut,  CA] 

•  Southern  Texas  Regional  Collaborative  Cluster  (Texas  A&M,  Corpus  Christi  [TAMU- 
CC],  Corpus  Christi,  TX) 

The  kick-off  event  for  the  Regional  Collaborative  Cluster  is  the  Annual  Regional  Information 
Assurance  Symposia  co-hosted  by  the  SEI  and  that  region’s  hub  educational  transition  part¬ 
ner.  To  minimize  conflicts  with  scheduled  academic  classes,  the  symposia  are  held  on  Satur¬ 
day.  The  hub  educational  transition  partner  chooses  the  actual  date  for  the  symposium,  given 
the  partner’s  knowledge  of  the  academic  schedules  of  the  educational  institutions  in  its  clus¬ 
ter.  In  the  initial  12-month  period  (February  2004-January  2005),  the  three  Regional  Collabo¬ 
rative  Clusters  have  each  held  a  successful  initial  Regional  Information  Assurance  Sympo¬ 
sium.  The  prototype  Regional  Collaborative  Cluster  (Mid-Atlantic  RCC)  held  its  second 
annual  symposium  in  April  2005.  All  three  Regional  Collaborative  Clusters  have  scheduled 
their  next  annual  symposia. 

2.1  Mid-Atlantic  Regional  Collaborative  Cluster 

Hampton  University  is  a  hub  educational  transition  partner,  anchoring  the  Mid-Atlantic  Re¬ 
gional  Collaborative  Cluster.  The  SEI’s  primary  collaborator  is  Robert  A.  Willis,  Jr.,  Chair¬ 
man  of  the  Department  of  Computer  Science.  On  February  28,  2004,  Hampton  University  co¬ 
hosted  the  “First  Annual  Hampton  University  Information  Assurance  Symposium:  Building 
Information  Assurance  Capacity  and  Improving  Infrastructure  at  HBCUs,”  targeting  18  His¬ 
torically  Black  Colleges  and  Universities  in  four  states  and  the  District  of  Columbia.  The  SEI 
provided  speakers  in  information  assurance/security  and  software  process  for  this  2004  kick¬ 
off  IA  symposium. 

In  addition  to  Hampton  University  and  the  SEI,  other  sponsors  included  the  Advanced  Net¬ 
working  with  Minority  Serving  Institutions  (AN-MSI)  project,  the  Institute  for  Infrastructure 
and  Information  Assurance  (HA)  at  James  Madison  University,  and  the  Association  of  Com- 
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puter  and  Information  Science  Engineering  Departments  at  Minority  Institutions  (ADMI). 
Registration  was  free. 

The  stated  purpose  of  the  symposium  was  threefold: 

•  to  provide  an  interface  with  governmental  agencies  and  information  assurance  research 
institutions 

•  to  provide  a  forum  that  will  serve  to  build  information  assurance  capacity  and  improve 
infrastructure  at  minority-serving  institutions 

•  to  serve  as  a  model  for  other  regional  workshops  for  minority-serving  institutions 


The  one  day  symposium  included 

•  comments  by  Lawrence  C.  Hale,  Deputy  Director  of  the  Department  of  Homeland  Secu¬ 
rity,  followed  by  a  Q&A  period 

•  a  keynote  address,  “Computers  Under  Attack — What  Can  We  Do?”  by  Richard  Pethia, 
Director  of  the  CERT  Centers  at  Carnegie  Mellon  University’s  Software  Engineering  In¬ 
stitute 

•  a  presentation,  “Higher  Education’s  Role  in  National  Efforts  to  Secure  Cyberspace,”  by 
Rodney  Petersen  of  EDUCAUSE 

•  a  luncheon  address,  “Development  Principles  for  Secure  Software,”  by  Watts  S.  Hum¬ 
phrey,  founder  of  the  software  process  program  at  the  Software  Engineering  Institute 

•  a  presentation,  “Developing  Secure  Software,”  by  Noopur  Davis  of  the  software  process 
program  at  the  Software  Engineering  Institute 

•  a  presentation,  “Coding  Flaws  That  Lead  to  Security  Failures,”  by  Shawn  Heman  of  the 
CERT  Coordination  Center  at  the  Software  Engineering  Institute 

•  a  presentation,  ‘The  Future  of  Security  and  Survivability  Research,”  by  Thomas  Long- 
staff  of  the  CERT  Research  and  Analysis  Centers  at  the  Software  Engineering  Institute 


Faculty  (including  six  department  chairs)  and  students  from  14  universities  in  seven  states 
and  the  District  of  Columbia  attended.  Nine  of  the  18  HUCUs  in  the  Mid-Atlantic  Regional 
Collaborative  Cluster  were  represented,  but  a  significant  snowstorm  around  Virginia  pre¬ 
vented  a  number  of  registered  attendees  from  coming.  Faculty  from  two  additional  HUCUs 
from  outside  the  RCC  attended  as  did  faculty  from  three  other  schools,  two  of  which  were 
co-sponsors.  A  total  of  62  people  attended,  including  one  from  Siemens  Corporation. 

The  Mid-Atlantic  Regional  Collaborative  Cluster  universities  represented  were: 

•  Bowie  State  University  (MD) 

•  Delaware  State  University  (DE) 

•  Elizabeth  City  State  University  (NC) 

•  Hampton  University  (VA) 
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•  Howard  University  (DC) 

•  Norfolk  State  University  (VA) 

•  University  of  the  District  of  Columbia  (DC) 

•  Virginia  State  University  (VA) 

•  Winston-Salem  State  University  (NC) 


Additional  HBCUs  represented  were: 

•  Spelman  College  (GA) 

•  Florida  A&M  University  (FL) 

Other  universities  represented  were: 

•  James  Madison  University  (co-sponsor)  (VA) 

•  Old  Dominion  University  (VA) 

•  Carnegie  Mellon  University  (co-sponsor)  (PA) 


Additional  details  about  the  formation  of  this  prototype  Regional  Collaborative  Cluster,  the 
initial  kick-off  LA  Symposium,  and  other  LA  workshops  held  by  Hampton  University  can  be 
found  in  a  paper  by  Sledge  and  Willis  [Sledge  2004]. 

Two  additional  Regional  Collaborative  Clusters  have  been  established,  both  targeting  His¬ 
panic  Serving  Institutions. 

2.2  Southern  California  Regional  Collaborative 
Cluster 

The  Southern  California  Regional  Collaborative  Cluster  focuses  on  California  State  Univer¬ 
sity  campuses  and  community  colleges  in  southern  California.  The  hub  educational  transition 
partners  are  California  State  Polytechnic  University,  Pomona  (Cal  Poly  Pomona)  in  Pomona, 
CA  (primary),  and  neighboring  Mt.  San  Antonio  College  (Mt.  SAC)  in  Walnut,  CA.  Dr.  Dan 
Manson  of  Cal  Poly  Pomona’s  College  of  Business  Administration  and  Mr.  John  Blyzka  of 
Mt.  SAC’s  Computer  Information  Systems  Department  are  the  primary  collaborators  for  the 
Southern  California  RCC.  Like  Robert  Willis  of  Hampton  University,  these  faculty  members 
from  Cal  Poly  Pomona  and  Mt.  SAC  have  also  participated  in  the  IACBP  at  Carnegie  Mel¬ 
lon. 

The  kick-off  LA  Symposium  was  held  on  December  11,  2004,  at  Cal  Poly  Pomona.  As  co¬ 
sponsor,  the  SEI  provided  speakers  in  information  assurance/security  and  software  process. 
The  other  sponsors  were  the  Cal  Poly  Pomona  Center  for  Information  Assurance  and  the  Re¬ 
gional  Information  Systems  Security  Center:  A  Consortium  for  Security  Education  Training 
and  Service — Mt.  San  Antonio  College  and  California  State  Polytechnic  University,  Pomona. 
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The  symposium  Web  site  is  located  at  http://www.bus.csupomona.edu/ias.asp,  while  a  list  of 
targeted  educational  institutions  (universities,  colleges,  and  community  colleges)  can  be 
found  at  http://www.bus.csupomona.edu/ias_target_inst.asp. 

For  faculty  and  students  who  responded  by  December  1,  2004,  registration  was  free;  it  was 
$25  thereafter  (charged  by  Cal  Poly  Pomona).  For  others  (non-faculty  and  non-students)  reg¬ 
istration  was  $25  if  they  responded  by  December  1,  2004;  it  was  $50  thereafter.  The  first  100 
registrants  received  a  free  128  MB  USB  2.0  flash  drive. 

The  stated  purpose  of  the  symposium  was  threefold: 

•  to  provide  an  interface  with  governmental  agencies  and  information  assurance  research 
institutions 

•  to  provide  a  forum  that  will  serve  to  build  information  assurance  capacity  and  improve 
infrastructure  at  minority-serving  institutions 

•  to  serve  as  a  model  for  other  regional  workshops  for  minority-serving  institutions 


The  one-day  symposium  included 

•  comments  by  Eric  Robles,  Field  Deputy  for  Congresswoman  Lucille  Roybal-Allard  (34th 
District,  CA) 

•  comments  and  a  presentation  by  distinguished  guest  Hun  S.  Kim,  Deputy  Director  for  the 
Strategic  Initiatives  Branch  at  the  Department  of  Homeland  Security,  National  Cyber  Se¬ 
curity  Division. 

•  a  keynote  address,  “Computers  Under  Attack — What  Can  We  Do?”  by  Richard  Pethia, 
Director  of  the  CERT  Centers  at  Carnegie  Mellon  University’s  Software  Engineering  In¬ 
stitute 

•  a  presentation,  “Incident  Management  at  California  State  University,”  by  Georgia  Kill- 
crece,  of  CERT  Training  and  Education  at  the  Software  Engineering  Institute 

•  a  luncheon  address,  “Enhancing  Software  Curriculum  with  Personal  Software  Process 
and  Team  Software  Process,”  by  Iraj  Hirmanpour,  visiting  scientist,  software  process 
program  at  the  Software  Engineering  Institute 

•  a  presentation,  “Developing  Secure  Software,”  by  Noopur  Davis,  of  the  software  process 
program  at  the  Software  Engineering  Institute 

•  a  presentation,  “Coding  Flaws  That  Lead  to  Security  Failures,”  by  Dan  Plakosh  of  the 
CERT  Coordination  Center  at  the  Software  Engineering  Institute 

•  a  presentation,  “Next  Steps,”  by  Carol  Sledge,  of  CERT  Training  and  Education  at  the 
Software  Engineering  Institute,  and  Daniel  Manson,  of  the  College  of  Business  Admini¬ 
stration,  California  State  Polytechnic  University,  Pomona 
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Faculty  and  students  from  18  California  universities  and  colleges  (10  Hispanic  Serving  Insti¬ 
tutions  and  eight  others),  plus  faculty  from  the  University  of  Las  Vegas  in  Nevada  were  in 
attendance,  in  addition  to  the  representatives  from  Carnegie  Mellon  University  in  Pennsyl¬ 
vania.  Eleven  corporate/govemment  agencies  were  also  represented.  A  total  of  90  people  at¬ 
tended  the  symposium. 

California  Hispanic  Serving  Institutions  represented  were: 

•  California  State  Polytechnic  University,  Pomona 

•  California  State  University,  Fullerton 

•  California  State  University,  Long  Beach 

•  California  State  University,  Los  Angeles 

•  California  State  University,  Northridge 

•  California  State  University,  San  Bernardino 

•  Mt.  San  Antonio  College 

•  Long  Beach  City  College 

•  San  Bernardino  Valley  College 

•  University  of  La  Verne 

Other  California  institutions  represented  were: 

•  California  Polytechnic  State  University,  San  Luis  Obispo 

•  Coastline  Community  College,  Garden  Grove 

•  College  of  the  Canyons 

•  California  State  University,  Sacramento 

•  Cypress  College 

•  Humboldt  State  University 

•  University  of  California,  Los  Angeles 

•  National  University 

Corporations  and  governmental  agencies  represented  were: 

•  Beckman  Coulter 

•  Bank  of  the  West 

•  Boeing 

•  City  National  Bank 

•  Countrywide  Financial  Corporation 

•  Disney  Consumer  Products 

•  Los  Angeles  County  Auditor  Controller 


CMU/SEI-2005-SR-007 


11 


•  Nation  Smith  Hermes  Diamond 

•  OCTFCU 

•  Pacific  Alternative  Asset  Management  Company 

•  Systems  Control  &  Security  Inc. 


The  Second  Annual  Regional  Information  Assurance  Symposium  will  be  held  on  December 
10,  2005. 

2.3  Southern  Texas  Regional  Collaborative  Cluster 

The  second  HSI  Regional  Collaborative  Cluster  focuses  on  southern  and  coastal  Texas  with 
Texas  A&M,  Corpus  Christi  (TAMU-CC)  as  the  hub  educational  transition  partner.  Dr.  John 
Fernandez  and  Dr.  Mario  Garcia  of  the  Department  of  Computer  and  Mathematical  Sciences 
at  TAMU-CC  are  the  primary  collaborators  for  the  Southern  Texas  RCC.  Like  our  primary 
collaborators  at  Hampton  University,  Cal  Poly  Pomona,  and  Mt.  SAC,  these  faculty  members 
from  TAMU-CC  participated  in  the  IACBP  at  Carnegie  Mellon. 

The  kick-off  LA  Symposium  was  held  on  January  29, 2005,  at  Texas  A&M,  Corpus  Christi. 

As  co-sponsor,  the  SEI  provided  speakers  in  information  assurance/security  and  software 
process.  The  other  co-sponsor  was  TAMU-CC.  The  symposium  Web  site  is  located  at 
http://iasymposium.tamucc.edu,  and  a  list  of  targeted  educational  institutions  (universities 
and  colleges)  can  be  found  at  http://iasymposium.tamucc.edu/institutions.html. 

TAMU-CC  charged  a  registration  fee  of  $20  to  defray  the  cost  of  meals  and  incidentals. 

The  stated  purpose  of  the  symposium  was  threefold: 

•  to  provide  an  interface  with  governmental  agencies  and  information  assurance  research 
institutions 

•  to  provide  a  forum  for 

-  building  information  assurance  capacity  and  improving  infrastructure  at  minority¬ 
serving  institutions 

-  building  information  assurance  awareness  within  academic,  industrial,  and  govern¬ 
mental  organizations 

-  sharing  knowledge  and  experience  with  faculty,  researchers,  and  institutional  leaders 

•  to  serve  as  a  model  for  other  regional  workshops  for  minority-serving  institutions,  and 
sharing  information  assurance  knowledge  and  experience  with  regional  government  and 
industry  leaders 
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The  one-day  symposium  included 

•  comments  by  Dr.  Alex  Ramirez,  Executive  Director  for  Information  Technology  Initia¬ 
tives,  Hispanic  Association  of  Colleges  and  Universities  (HACU) 

•  comments  and  presentation  by  distinguished  guest  Hun  S.  Kim,  Deputy  Director  for  the 
Strategic  Initiatives  Branch,  Department  of  Homeland  Security,  National  Cyber  Security 
Division 

•  a  keynote  address,  “Computers  Under  Attack — What  Can  We  Do?”  by  Richard  Pethia, 
Director  of  the  CERT  Centers  at  Carnegie  Mellon  University’s  Software  Engineering  In¬ 
stitute 

•  a  luncheon  address,  “Enhancing  Software  Curriculum  with  Personal  Software  Process 
and  Team  Software  Process,”  by  Dr.  Iraj  Hirmanpour,  visiting  scientist,  software  process 
program  at  the  Software  Engineering  Institute 

•  a  presentation,  “Developing  Secure  Software,”  by  James  Over,  software  process  pro¬ 
gram,  Software  Engineering  Institute 

•  a  presentation,  “Coding  Flaws  That  Lead  to  Security  Failures,”  by  Dan  Plakosh,  CERT 
Coordination  Center,  Software  Engineering  Institute 

•  a  presentation,  “Next  Steps,”  by  Dr.  Carol  Sledge,  CERT  Training  and  Education,  Soft¬ 
ware  Engineering  Institute,  and  Dr.  Mario  Garcia,  Texas  A&M,  Corpus  Christi 


Faculty  and  students  from  five  universities  and  colleges  (four  Hispanic  Serving  Institutions 
and  one  other  institution),  plus  faculty  from  the  Rochester  Institute  of  Technology  in  New 
York  were  in  attendance,  in  addition  to  the  representatives  from  Carnegie  Mellon  University 
in  Pennsylvania  (from  the  Software  Engineering  Institute  and  CyLab).  Six  corpo- 
rate/govemment  agencies  were  also  represented.  A  total  of  145  people  attended  the  sympo¬ 
sium. 

Texas  Hispanic  Serving  Institutions  represented  were: 

•  Texas  A&M  University,  Corpus  Christi 

•  Texas  A&M  University,  Kingsville 

•  Texas  A&M  International  University 

•  Del  Mar  College 


One  other  Texas  institution  was  represented: 
•  Trinity  University 


Corporations  and  governmental  agencies  represented  were: 

•  AbsolutSafe,  Inc. 

•  City  of  Corpus  Christi 
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•  Hispanic  Association  of  Colleges  and  Universities  (HACU) 

•  Raytheon,  Naval  Air  Station  Contractor 

•  South  Central  Regional  Maintenance  Center 

•  Whataburger,  Inc. 


The  Second  Annual  Regional  Information  Assurance  Symposium  is  scheduled  for  January 
28,  2006. 

Although  the  three  established  RCCs  share  similarities,  the  RCCs  and  their  hub  educational 
transition  partners  also  exhibit  differences,  which  reflect  not  only  the  other  programs  that  are 
being  leveraged  at  these  hub  partners,  but  also  the  goals  these  partners  have  for  the  educa¬ 
tional  institutions  in  their  regions  and  for  their  own  programs.  Information  on  the  activities  of 
the  hub  educational  partners  can  be  found  in  the  publication  news@sei  [Thomas  2005]. 
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3  Subsequent  Annual  IA  Symposia 


Due  to  the  relative  newness  of  the  Regional  Collaborative  Clusters  and  their  associated  IA 
symposia,  only  one  RCC  has  held  its  second  IA  symposium.  The  Second  Annual  Hampton 
Information  Assurance  Symposium  was  held  on  April  2,  2005,  at  Hampton  University.  As  co¬ 
sponsor,  the  SEI  provided  speakers  in  information  assurance/security  and  software  architec¬ 
ture/component  technology.  The  other  co-sponsors  were: 

•  Hampton  University 

•  Elizabeth  City  State  University 

•  Association  of  Computer  and  Information  Science  Engineering  Departments  at  Minority 
Institutions  (ADMI) 

•  The  Institute  for  Infrastructure  and  Information  Assurance  (IIA)  at  James  Madison  Uni¬ 
versity  (JMU) 

•  Electronic  Systems 

•  Cisco  Systems 

•  National  Information  Assurance  Training  and  Education  Center 

The  symposium  Web  site  is  located  at  http://www.hamptonu.edu/events/ia_symposium/.  Reg¬ 
istration  was  free. 

The  one-day  symposium  included 

•  comments  and  a  presentation  by  distinguished  guest  Hun  S.  Kim,  Deputy  Director  for  the 
Strategic  Initiatives  Branch,  Department  of  Homeland  Security,  National  Cyber  Security 
Division 

•  a  keynote  address,  “Evolving  Cyber  Threats:  Three  Things  for  You  to  Do,”  by  Richard 
Pethia,  Director,  of  the  CERT  Centers  at  Carnegie  Mellon  University’s  Software  Engi¬ 
neering  Institute 

•  a  presentation,  “ADMI’s  Role  in  Information  Assurance,”  by  Dr.  Andrea  W.  Lawrence, 
Chair  of  Computer  Science  at  Spelman  College  and  current  President  of  ADMI 

•  a  presentation,  “NIST  Computer  Security  Division  Activities,”  by  Dr.  Alicia  Clay,  Dep¬ 
uty  Chief  for  the  Computer  Security  Division  of  the  National  Institute  of  Standards  and 
Technology  (NIST) 

•  a  luncheon  address,  “Putting  the  Play  into  ‘Plug  and  Play,’  ”  by  Linda  Northrop,  Director, 
Product  Line  Systems  Program  at  the  Software  Engineering  Institute 
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•  a  presentation,  “Prediction-Enabled  Component  Technology,”  by  Scott  Hissam  of  the 
Product  Line  Systems  Program  at  the  Software  Engineering  Institute 

•  a  presentation,  “Coding  Flaws  That  Lead  to  Security  Failures,”  by  Dan  Plakosh  of  the 
CERT  Coordination  Center  at  the  Software  Engineering  Institute 

•  a  presentation,  “Future:  Survivability  and  Information  Assurance  Curriculum,”  by  Dr. 
Carol  Sledge,  CERT  Training  and  Education  at  the  Software  Engineering  Institute 


Faculty  (including  seven  department  chairs)  and  students  from  1 1  universities  in  four  states 
and  the  District  of  Columbia  attended.  Eight  of  the  18  HUCUs  in  the  Mid-Atlantic  Regional 
Collaborative  Cluster  were  represented.  Total  attendance  over  the  course  of  the  day  was  85: 
42  faculty  (3 1  HUCU  faculty),  37  students,  three  commercial  attendees,  and  three  govern¬ 
ment  attendees. 

Mid-Atlantic  Regional  Collaborative  Cluster  Universities  represented  were: 

•  Bennett  College  (NC) 

•  Elizabeth  City  State  University  (NC) 

•  Hampton  University  (VA) 

•  Morgan  State  University  (MD) 

•  North  Carolina  A&T  (NC) 

•  Norfolk  State  University  (VA) 

•  University  of  the  District  of  Columbia  (DC) 

•  Winston-Salem  State  University  (NC) 

One  additional  HUCU  was  represented: 

•  Spelman  College  (GA) 


One  community  college  was  represented: 

•  Thomas  Nelson  Community  College  (Hampton,  VA) 

Commercial/govemment  organizations  represented  were: 

•  National  Defense  University 

•  Booz  Allen  Hamilton 

•  Cisco  Systems 

•  Electronic  Systems 

•  Chesterfield  County  (VA) 

The  Third  Annual  Hampton  Information  Assurance  Symposium  has  been  scheduled 
for  April  6,  2006. 
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4  Conclusions 


One  goal  of  the  Networked  Systems  Survivability  Program  of  the  Software  Engineering  Insti¬ 
tute  (SEI)  is  to  transition  information  assurance/security  courseware,  materials,  and  a  curricu¬ 
lum  in  survivability  and  information  assurance  to  various  departments  at  institutions  of 
higher  education  in  the  United  States,  with  a  particular  focus  on  selected  minority-serving 
institutions.  To  accomplish  this,  the  SEI  utilizes  partnerships  that  leverage  the  strengths  of  the 
SEI  and  the  strengths  of  its  partner  educational  institutions.  The  SEI  builds  upon  the  partners’ 
existing  trusted  relationships  and  infrastructure,  rather  than  building  a  new  infrastructure. 

This  partnership  approach  sustains  the  incorporation  of  new  and  evolving  materials  by  the 
partners,  and  is  more  cost-effective  for  all  parties.  The  SEI  seeks  to  strengthen  the  informa¬ 
tion  assurance  capacity  of  these  “hub”  educational  partner  institutions,  which  can  then  refine 
and  (in  the  future)  transition  educational  materials  and  courses  to  other  educational  institu¬ 
tions  in  their  regions.  Our  goal  is  to  create  a  self-sustaining  cluster  of  schools  (termed  an  In¬ 
formation  Assurance  Regional  Collaborative  Cluster)  that  continue  to  enhance  and  adapt  ma¬ 
terials  to  their  particular  curricula,  and  share  those  materials  with  faculty  at  colleges  and 
universities.  This  second-level  transition  helps  to  increase  the  educational  capacity  in  infor¬ 
mation  assurance  in  the  U.S. 

Since  2004,  the  SEI  has  established  three  Regional  Collaborative  Clusters  (RCCs)  and  their 
associated  hub  educational  transition  partners  across  the  U.S.  A  key  component  of  the  RCC 
(and  the  kick-off  event)  is  the  Annual  Regional  Information  Assurance  Symposia  co-hosted 
by  the  SEI  and  that  region’s  hub  educational  transition  partner.  In  the  initial  14-month  period 
(February  2004-April  2005),  the  prototype  RCC  (Mid-Atlantic  RCC)  has  held  two  successful 
annual  symposia,  while  the  two  RCCs  with  hub  educational  transition  partners  California 
State  Polytechnic  University,  Pomona  (Cal  Poly  Pomona)  and  neighboring  Mt.  San  Antonio 
College  (Mt.  SAC),  and  Texas  A&M,  Corpus  Christi  (TAMU-CC)  have  each  held  a  success¬ 
ful  initial  annual  symposia,  with  their  second  symposia  scheduled.  This  initial  report  on  these 
annual  regional  symposia  described  the  RCC  concept,  the  SEI  approach  and  the  results  to 
date.  Further  information  on  the  educational  outreach  project  of  the  Networked  Systems  Sur¬ 
vivability  Program  can  be  found  in  [Sledge  2005], 
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Appendix 


Mid-Atlantic  Regional 
Collaborative  Cluster 
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